China Information Technology Security Evaluation Center

China Information Technology Security Evaluation Center
中国信息安全测评中心 (Chinese)
Bureau overview
Formed	1997
Jurisdiction	Government of China
Headquarters	Building 1, Yard No.8, Shangdi West Road, Haidian District, Beijing, China
Employees	classified
Parent Ministry	Ministry of State Security
Child Bureau	Chinese National Vulnerability Database;
Website	www.itsec.gov.cn

The China Information Technology Security Evaluation Center (Chinese: 中国信息安全测评中心; CNITSEC, SNIT-sec) is the cover identity of the 13th Bureau of the Ministry of State Security, the information technology component of China's civilian spy agency which houses much of its technical cyber expertise.^[1] The bureau manages much of the conduct of cyberespionage for the agency, and provides aid to the many advanced persistent threats (APTs) run directly by the agency, by its semi-autonomous provincial State Security Departments (SSD) and municipal State Security Bureaus (SSB), and by contractors.^[2]^[3] In support of provincial state and party leadership, the bureau also runs its own semi-autonomous provincial Information Technology Security Evaluation Centers (ITSEC) in collaboration with provincial counterparts.^[4] In the past these ITSECs have been identified collaborating with APTs run by provincial state security units.^[4] The bureau also manages the Chinese National Vulnerability Database (CNNVD), where it has been found to selectively suppress or delay public reporting of certain zero-day vulnerabilities.^[3]

Operations[edit]

CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from CNITSEC's activities in intelligence operations.^{[citation needed]}

Many believe that government requirements for CNITSEC to conduct "security reviews" of all foreign tech imports are intended to allow the MSS to identify zero-day vulnerabilities in the technology for use in intelligence operations, and force foreign companies to transfer proprietary technology and intellectual property to the MSS in exchange for access to Chinese markets.^{[citation needed]}

Chinese National Vulnerability Database[edit]

CNNVD is one of two national vulnerability databases operated by the PRC. According to Kristin Del Rosso of Sophos, "they have a history of strategically hoarding vulnerabilities." Recorded Future uncovered more than 200 vulnerability disclosures that had their original publication dates altered in a "sloppy coverup" following their discovery that vulnerabilities disclosure dates lagged reporting.^[5]^[2]^[6]

Advanced persistent threat involvement[edit]

In November 2016, a US Department of Defense report leaked, exposing the clients of Boyusec, a Guangzhou-based company responsible for the advanced persistent threat known as APT3. According to the Pentagon's report, Boyusec was actually a front for the MSS, who was working with Huawei to produce compromised security products with built-in backdoors that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The front's other client was Guangdong ITSEC, the provincial affiliate office of CNITSEC.^[4]

References[edit]

^ Inkster, Nigel (2015). "The Chinese Intelligence Agencies: Evolution and Empowerment in Cyberspace". In Reveron, Derek S.; Lindsay, Jon R.; Cheung, Tai Ming (eds.). China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain. Oxford University Press. doi:10.1093/acprof:oso/9780190201265.003.0002. ISBN 9780190201296.
^ ^a ^b Del Rosso, Kristin (15 December 2022). "Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure". SentinelOne. Retrieved 22 June 2023.
^ ^a ^b INSIKT GROUP (31 August 2017). "China's Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology". Recorded Future. Retrieved 18 May 2023.
^ ^a ^b ^c INSIKT GROUP (17 May 2017). "Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3". Recorded Future. Retrieved 18 May 2023.
^ Roberts, Paul (26 September 2022). "Gaps in the NVD increase U.S. cyber threat". ReversingLabs. Retrieved 22 June 2023.
^ O'Neill, Patrick Howell (9 March 2018). "China's national vulnerability database is merely a tool for its intelligence agencies". CyberScoop. Retrieved 22 June 2023.

External links[edit]

Official website

[1] Inkster, Nigel (2015). "The Chinese Intelligence Agencies: Evolution and Empowerment in Cyberspace". In Reveron, Derek S.; Lindsay, Jon R.; Cheung, Tai Ming (eds.). China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain. Oxford University Press. doi:10.1093/acprof:oso/9780190201265.003.0002. ISBN 9780190201296.

[:0-2] Del Rosso, Kristin (15 December 2022). "Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure". SentinelOne. Retrieved 22 June 2023.

[:1-3] INSIKT GROUP (31 August 2017). "China's Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology". Recorded Future. Retrieved 18 May 2023.

[:2-4] INSIKT GROUP (17 May 2017). "Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3". Recorded Future. Retrieved 18 May 2023.

[5] Roberts, Paul (26 September 2022). "Gaps in the NVD increase U.S. cyber threat". ReversingLabs. Retrieved 22 June 2023.

[6] O'Neill, Patrick Howell (9 March 2018). "China's national vulnerability database is merely a tool for its intelligence agencies". CyberScoop. Retrieved 22 June 2023.

[1]

[2]

[3]

[4]

[5]

[6]